Bug 1511850

Summary: Setting empty sudoers_search_filter via sudo-ldap.conf generates an invalid LDAP query filter
Product: Red Hat Enterprise Linux 7 Reporter: Daniel Kopeček <dkopecek>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: dapospis, lmiksik, pkis, rsroka
Target Milestone: rcKeywords: Patch, Triaged
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: sudo-1.8.19p2-13.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 14:44:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
filter patch none

Description Daniel Kopeček 2017-11-10 10:00:38 UTC 
Description of problem:
https://www.sudo.ws/pipermail/sudo-workers/2017-August/001113.html

How reproducible:
Always

Steps to Reproduce:
1. Configure sudo to use LDAP source for sudoers in nsswitch.conf
2. Set SUDOERS_SEARCH_FILTER without a value in sudo-ldap.conf
3. Set SUDOERS_DEBUG to enable LDAP code debugging messages
4. Try sudo ls or something

Actual results:
--- snip ---
sudo: ldap search '(sudoUser=*)(sudoUser=+*)'
sudo: searching from base 'ou=SUDOers,dc=localhost,dc=localdomain'
sudo: ldap search pass 2 failed: Bad search filter
--- snip ---

Expected results:
Correct LDAP query filter passedto LDAP API

Additional info:
Upstream fix:
https://github.com/millert/sudo/commit/5cdee2c2c070081da38cf8014390887cd119920d
Comment 2 Radovan Sroka 2017-11-16 11:43:25 UTC 
Created attachment 1353435 [details]
filter patch
Comment 6 Dalibor Pospíšil 2018-01-02 15:35:50 UTC 
OLD sudo-1.8.19p2-11.el7
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   test SUDOERS_SEARCH_FILTER, provider ldap
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 16:15:06 ] :: [   INFO   ] :: using '/var/tmp/beakerlib-dGwVR9a/backup-SUDOERS_SEARCH_FILTER' as backup destination
:: [ 16:15:07 ] :: [   PASS   ] :: Command 'rlFileBackup --namespace SUDOERS_SEARCH_FILTER --clean /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:07 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_TIMED/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:07 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_DEBUG/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:07 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_SEARCH_FILTER/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:07 ] :: [   PASS   ] :: Command 'echo 'SUDOERS_DEBUG 1' >> /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:08 ] :: [   PASS   ] :: Command 'su - userallowed -c 'sudo true'' (Expected 0, got 0)
:: [ 16:15:08 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.mkUoinw3' should contain 'sudo: ldap search.*objectClass=sudoRole.*sudoUser=\*.*sudoUser=\+\*' 
:: [ 16:15:08 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.mkUoinw3' should contain 'sudo: ldap search.*objectClass=sudoRole.*sudoUser=userallowed' 
:: [ 16:15:08 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.mkUoinw3' should not contain 'sudo: ldap search pass 2 failed: Bad search filter' 
:: [ 16:15:08 ] :: [   PASS   ] :: Command 'echo 'SUDOERS_SEARCH_FILTER' >> /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:08 ] :: [   PASS   ] :: Command 'su - userallowed -c 'sudo true'' (Expected 0, got 0)
:: [ 16:15:09 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.wsSoryDy' should not contain 'sudo: ldap search.*objectClass=sudoRole' 
:: [ 16:15:09 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.wsSoryDy' should contain 'sudo: ldap search.*sudoUser=\*.*sudoUser=\+\*' 
:: [ 16:15:09 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.wsSoryDy' should contain 'sudo: ldap search.*sudoUser=userallowed' 
:: [ 16:15:09 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.wsSoryDy' should not contain 'sudo: ldap search pass 2 failed: Bad search filter' 
:: [ 16:23:31 ] :: [   PASS   ] :: Command 'rlFileRestore --namespace SUDOERS_SEARCH_FILTER' (Expected 0, got 0)
________________________________________________________________________________
:: [ 16:23:31 ] :: [   LOG    ] :: Duration: 505s
:: [ 16:23:31 ] :: [   LOG    ] :: Assertions: 15 good, 1 bad
:: [ 16:23:31 ] :: [   FAIL   ] :: RESULT: test SUDOERS_SEARCH_FILTER, provider ldap



NEW sudo-1.8.19p2-13.el7:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   test SUDOERS_SEARCH_FILTER, provider ldap
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 16:28:03 ] :: [   INFO   ] :: using '/var/tmp/beakerlib-yhENxsp/backup-SUDOERS_SEARCH_FILTER' as backup destination
:: [ 16:28:03 ] :: [   PASS   ] :: Command 'rlFileBackup --namespace SUDOERS_SEARCH_FILTER --clean /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:03 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_TIMED/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:03 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_DEBUG/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:03 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_SEARCH_FILTER/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:04 ] :: [   PASS   ] :: Command 'echo 'SUDOERS_DEBUG 1' >> /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:04 ] :: [   PASS   ] :: Command 'su - userallowed -c 'sudo true'' (Expected 0, got 0)
:: [ 16:28:04 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.Ct1PyCfk' should contain 'sudo: ldap search.*objectClass=sudoRole.*sudoUser=\*.*sudoUser=\+\*' 
:: [ 16:28:04 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.Ct1PyCfk' should contain 'sudo: ldap search.*objectClass=sudoRole.*sudoUser=userallowed' 
:: [ 16:28:04 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.Ct1PyCfk' should not contain 'sudo: ldap search pass 2 failed: Bad search filter' 
:: [ 16:28:04 ] :: [   PASS   ] :: Command 'echo 'SUDOERS_SEARCH_FILTER' >> /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:05 ] :: [   PASS   ] :: Command 'su - userallowed -c 'sudo true'' (Expected 0, got 0)
:: [ 16:28:05 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.hJWJ2PhG' should not contain 'sudo: ldap search.*objectClass=sudoRole' 
:: [ 16:28:05 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.hJWJ2PhG' should contain 'sudo: ldap search.*sudoUser=\*.*sudoUser=\+\*' 
:: [ 16:28:05 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.hJWJ2PhG' should contain 'sudo: ldap search.*sudoUser=userallowed' 
:: [ 16:28:05 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.hJWJ2PhG' should not contain 'sudo: ldap search pass 2 failed: Bad search filter' 
:: [ 16:28:26 ] :: [   PASS   ] :: Command 'rlFileRestore --namespace SUDOERS_SEARCH_FILTER' (Expected 0, got 0)
________________________________________________________________________________
:: [ 16:28:26 ] :: [   LOG    ] :: Duration: 23s
:: [ 16:28:26 ] :: [   LOG    ] :: Assertions: 16 good, 0 bad
:: [ 16:28:26 ] :: [   PASS   ] :: RESULT: test SUDOERS_SEARCH_FILTER, provider ldap
Comment 9 errata-xmlrpc 2018-04-10 14:44:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0824